Hiding malicious commands in copy-and-pasted text

Quite often websites will encourage you to copy and paste commands into your terminal.

There are a variety of reasons why this is bad - not least because someone could hide malicious code. That's usually done with a bit of CSS to make the evil command invisible, or using Javascript to inject something unwanted into your keyboard.

Here's method that I hadn't seen before. Copy this code and paste it into your terminal to see your external IP address:

Notice anything weird about it? Depending on how you selected it, possibly not. Try pasting it into your terminal.

Let's take a look at how it works:

  value="curl ipconfig.io  ;yes &quot;Don't copy and paste commands!&quot;"
  style="display: inline;
         width: fit-content;
         background: var(--color-box);
         border: none;
         outline: none;
         padding: 0;
         border-radius: 0;">

It's a readonly text input! The size has been set to cut off anything after the innocuous command. The CSS makes it look like part of the regular page with none of the styling associated with an input.

I'd hope that most people would realise that the command they pasted looked different from the one they thought had been copied - but we all make mistakes.

Share this post on…

4 thoughts on “Hiding malicious commands in copy-and-pasted text”

  1. said on chaos.social:


    I think it was CSI 3i in SCO Xenix that worked as a "print screen" command. But for a terminal, so it would send the content of the screen back to the tty, which was supposed to capture it and then do something with it, for example printing.

    So if somebody had a root shell open, and was mesg y, you could send them 'clear screen', some command, 'csi 3i' and the screen content - the command - would be echoed back to the tty, with the shell listening.

    Very quickly my admin had 'mesg n'

    Reply | Reply to original comment on chaos.social
  2. said on mastodon.social:

    @Edent Recent versions of Bash and readline have a workaround for this in some terminal environments, called 'bracketed paste'. When you paste into the terminal to Bash, the pasted text doesn't immediately take effect (even if it has embedded newlines) but instead gets highlighted and you have to explicitly accept it (or you can edit it, abort it with Ctrl-C, etc).

    Reply | Reply to original comment on mastodon.social

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">